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Abstract 

This document describes the implementation of the LoopW language, an imperative language with 
higher-order procedural variables and non-local jumps equiped with a program logic, in SML. It includes 
the user manual along with some implementation notes and many examples of certified imperative pro- 
grams. As a concluding example, we show the certification of an imperative program encoding shift/reset 
using callcc/throw and a global meta-continuation. 

1 Introduction 

This document describes the implementation in Standard ML of the LoopW language [2, IJ, an imperative 
language vi^ith higher-order procedural variables and non-local jumps equiped with a program logic. 

This implementation consists firstly in a type inference tool prototype LoopW that reads partially an- 
notated imperative source code and performs combinated type checking and type inference; and secondly 
in a proof checking tool prototype LoopWc that reads completely annotated imperative source code and 
performs proof checking, translation into completely annotated functional source code and proof checking 
of the functional code. 

The complete source code archive of those prototypes along with numerous small examples of certified 
programs can be obtained at http://lacl.univ-parisl2.fr/polonowski/Develop/LoopW/loopw.html. 

Section [2] contains the user manual, describing the source syntax, the usage of the tools LoopW and 
LoopWc, and a small introduction on imperative program certification with examples. Section |3] gives details 
about the current implementation, along with small commented protions of Standard ML source code. 
Section |4] presents the overview of the source code documentation (generated using smldoc - from SML^ - 
http://www.pllab.riec.tohoku.ac.jp/smlsharp/) which is included in the source code archive. 

References 

[1] Tristan Crolard and Emmanuel Polonowski. A program logic for higher-order procedural variables and 
non-local jumps. 2010. Submitted. 

[2] Tristan Crolard, Emmanuel Polonowski, and Pierre Valarcher. Extending the loop language with higher- 
order procedural variables. ACM Transactions on Computational Logic, 10(4): 1-37, 08 2009. 
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2 User Manual 



2.1 Source syntax 



(terms) 



1 

f(t, . 



s(t) 
p(t) 
t + t 
t * t 
t - t 



. t) 



term variable 
function application 

zero 

successor 

predecessor 

addition 

multiplication 

substraction 



(types) 



$ 

(t = t) 

nat(t) 

proc({i, 

~T 



, i} in T, .... T; 
, i} out T, .... T) 



absurd 

equality over terms 
nat predicate 
procedure prototype 

negation 



(expressions) e 



q 

X 
* 



proc({i, 



, i} in X:T, 
, i} out X:T, 



X:T; 



X:T) { s } 



natural numbers constants 
program variable 
true value 

anonymous procedure declaration 



(commands) c ::= 



{ s }X:T, X:T 

for I := until e { s }X:T, X:T 

X := e 

inc(X) 

dec(X) 

e(e, . . . , e; X, . . . , X) 

X : { s }X:T, .... X:T 

jumpCe, e, .... e)X:T, X:T 



annotated block 
annotated for loop 
assignment 
incrementation 
decrementation 
procedure call 
labeled block 
jump to a label 



(sequences) s 



e 

c ; s 
est X 
var X 



= e; s 
:= e; s 



empty sequence 
command composition 
constant declaration 
variable declaration 



2 



2.2 Usage 



========== LoopW imperative proof inference and proof checking program ========== 

This tool contains two executables , namely loopW and loopWc . 

I. loopW: imperative proof inference. 

The loopW inference tool reads its input in a file with extension ".loop" and tries to 
infer a correct and complete proof derivation that corresponds to the given source code. 

usage: loopW [-version] [-vl23] [-uprint] [-print] [-pprint] [-form] [-tex] [-ott] file. loop 
-version print version and exit 

-V Verbosity level (1 : low, 2 : medium, 3 : high) 

-uprint Erase all type information and pretty print (file.cs) 

-print Pretty print (file. rev. loop) 

-pprint Complete infered proof pretty printing (file. proof) 
-form Display formula-like types instead of imperative types 
-tex Tex output 

-ott Ott/twelf complete infered proof pretty printing (file. loop. ott) 
NOTES 

- On Unix systems (including Mac OS X) you need to have mono (www.mono-project.com) 
installed and you can then run the command as: 

mono loopW.exe [-version] [-vl23] [-uprint] [-print] [-pprint] [-form] [-tex] [-ott] file. loop 

II. loopWc: imperative proof checking, functional translation and proof checking. 

The loopWc proof checker and translater tool reads its input in a file with extension 
".proof" (eventually written by the loopW tool (see above)). It first checks the imperative 
proof derivation, then it translate it into a functional proof derivation and check it. 

usage: loopWc [-version] [-vl23] [-uprint] [-f print] file. proof 
-version print version and exit 

-V Verbosity level (1 : low, 2 : medium, 3 : high) 

-uprint Erase all type information and pretty print (file. pes) 
-f print Functional translation (untyped) pretty print (file.sml) 

NOTES 

- On Unix systems (including Mac OS X) you need to have mono (www.mono-project.com) 
installed and you can then run the command as: 

mono loopWc.exe [-version] [-vl23] [-uprint] [-f print] file. proof 

- The generated sml file can be tested with SML/NJ with the provided library file: 
sml lib. sml file.sml 
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2.3 Program certification examples 
2.3.1 Addition 

est p_add = proc({x, y} in X:nat(x), Y:nat(y); out Z:nat(x + y)) { 
Z : = X : > nat (x + 0) ; 
for i := until Y { 

inc(Z) ; 
}Z :nat (x + i) ; 

>; 

var N : = * ; 
p_add(3, 5; N); 

To compile this example (in a file add. loop), we use the command: loopW add. loop. The absence of 
output indicates that the compilation was successfull. We find a new file add . typ containing the following 
text: 

est p_add = procCin X, Y; out Z) { -(X:nat(x), Y:nat(y)) [Z: (0 = 0)] 



Z := X; 

for i := until Y { 
inc(Z) ; 

>Z; 

}; 

var N : = * ; 
p_add(3, 5; N); 



I [Z:nat((x + 0))] by #1 
I -(i:nat(i)) [Z:nat((x + i))] 
I I [Z:nat(s((x + i)))] 
I [Z:nat((x + y))] by #2 

(p_add:proc({x, y} in nat(x), nat(y); out nat((x + y)))) 
[N:(0 = 0)] 
[N:nat((3 + 5))] 



1: I- (x = (x + 0)) 

2: I- (s((x + i)) = (x + s(i))) 



We find on the left part our source code (without type informations) and on the right part the typing 
derivation. Remark that variables may change their type: N is declared and assigned with * of type = 0, 
and after the procedure call, its type is nat (3 + 5). 

The bottom part of the file contains the equalities used to certify the source code. They must be checked 
(either manually or with a solver) in order to guarantee the correctness of the code. Here, the equalities are 
straightforward consequences of the usual axioms defining addition for peano arithmetic. 

In order to proof-check this program, we need to generate the intermediate file add. proof . We use the 
command loopW -pprint add. loop. We can then call the proof-checker: loopWc add. proof. Again, the 
absence of output indicates that the proof-checking was successfull. We can also generate the functional 
program: loopWc -f print add. proof. It gives us the following file add. sml: 

let val p_add (* : Forall x,y.((nat(x) & nat(y)) => (nat((x + y)))) *) = 
fn (X (* : nat(x) *) , Y (* : nat(y) *)) => 
let val Z (* : nat((x +0)) *) = 

X (* : nat(x) *) (* :> {var_l/nat(var_l)} [x = (x + 0) by #1] *) 
val Z (* : nat((x + y)) *) = 

Rec (Y (* : nat(y) *) , Z (* : nat((x +0)) *) , 

fn i (* : nat(i) *) => fn (Z (* : nat((x + i)) *)) => 

let val Z (* : nat(s((x + i))) *) = Succ(Z (* : nat((x + i)) *)) 
in Z (* : nat(s((x + i))) *) 

(* :> {var_2/(nat(var_2))}[s((x + i)) = (x + s(i)) by #2] *) end ) 
in Z (* : nat((x + y)) *) end 
val N (* : = *) = 
val N (* : nat((3 + 5)) *) = 

p_add (* : Forall x,y.((nat(x) & nat(y)) => (nat((x + y)))) *)((3, 5)) (* [3, 5] *) 
in end 
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(* 1: I- X = (x + 0) *) 

(* 2: I- s((x + i)) = (x + s(i)) *) 



If we erase all the comments containing the typing informations, we get: 

let val p_add = fn (X, Y) => 
let val Z = X 

val Z = Rec (Y, Z, fn i => fn (Z) => 
let val Z = Succ(Z) 
in Z end) 

in Z end 
val N = 
val N = p_add(3, 5) 
in ( ) end 

(* 1: I- X = (x + 0) *) 

(* 2: I- s((x + i)) = (x + s(i)) *) 

It clearly corresponds to a valid definition of addition using a recursion operator. 

2.3.2 Acker mann 

est ack = proc ({m,n} in M : nat(ni), N : nat(n); out Z : nat(a(m,n))) {. 
var G := proc ({y} in Y : nat(y); out P : nat(a(0,y))) { 
P := Y; 
inc(P) ; 

}; 

for i := until M { 
est H = G; 

G := proe ({y} in Y : nat(y); out P : nat(a(s(i) ,y))) { 
P := 2 :> nat(a(s(i) ,0)) ; 
for j := until Y { 

H(P; P); 
}P:nat(a(s(i),j)); 

>; 

>G:proe ({y} in nat(y); {} out nat(a(i,y))) ; 
G(N; Z); 

>; 

2.3.3 Negation 

Using the negation, we can use the full power of classical logic to prove theorems. For instance, the following 
program is a proof of -^(Va;. nat(a;) A -iF) =^ 3x. nat(x) A F which is not provable in intuitionnistic logic. 

est dblNegElim = proe (in K : ~~F; out Z : F) { 
K2: { 

jump(K,K2)Z:F; 
}Z:F; 

>; 

est notAllNot_implies_Exist = proc (in H : ~proc({x} in nat(x); out ~F) ; 
out C : proc(; {x} out nat(x), F)) { 

K: { 

est P = proc ({x> in N : nat(x); out Z : ~F) { 
K2: { 

dblNegElim (K2; Z) ; 
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est V = Z; 

est Q = proc(; {x} out M : nat(x), Y : F) { 
M := N; 
Y := V; 

}; 

jump(K, Q)Z:~F; 
>Z:~F; 

>; 

jump(H, P)C:proc(; {x} out nat(x), F) ; 
]-C:proc(; {x} out nat(x), F) ; 

}; 

2.3.4 Shift/reset 

est shift = proc (in p : proc(in proc({n} in nat(n), "A; out nat(F32(n)), ~A) , 

"proc ({n} in nat(n), "A; out nat(F32(n)), ~A) ; 
out proc ({nj- in nat(n), ~A; out nat(F32(n)), ~A) , 
~proc ({n} in nat(n), ~A; out nat(F32(n)), ~A)), 
iiik2 : "proc ({n} in nat(n), ~A; out nat(F32(n)), ~A) ; 
{u} out r : nat(u), mk : "nat (F32(u) ) ) { 

mk := nik2; 

est reset2 = proc ({x} in p : proc(in ~nat(F32(x)) ; out H,~H), mk2 : ~A; 

out r : nat(F32(x)), mk : ~A) { 

mk := mk2; 
k: { 

est m = mk; 

mk := proc (in r : nat(F32(x)); out Z : $) { 
jump(k, r, m)Z:$; 

>; 

var y : = * ; 
p(mk; y, mk) ; 

jump(mk, y)r :nat(F32(x)) , mk:~A; 
}r:nat(F32(x)) , mk:~A; 

>; 

k: { 

est q = proc ({x} in v : nat(x), mk2 : ~A; 

out r : nat (F32 (x) ) , mk : ~A) { 

mk := mk2; 

est anonym = proe(in mk2 : ~nat(F32(x)) ; out z : H, mk : ~H) { 
mk := mk2; 

jump(k, V, mk)z:H,mk: ~H; 

}; 

reset2(anonjnn, mk; r, mk) ; 

>; 

var y := *; 
p(q, mk; y, mk) ; 

jump(mk, y)r:nat(0), mk: ~nat(F32(0)) ; 
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}{u}r:nat(u) , mk: "nat (F32(u) ) ; 

}; 



est reset = proc (in p : proc(in ~proc({ii} in nat(n), "A; out nat(F32(n)), ~A) ; 

{v} out nat (v) , "nat (v) ) , 

mk2 : ~A; 

out r : proc({n} in nat(n), ~A; out nat(F32(n)), ~A) , 
mk : ~A) { 

mk := mk2; 
k: { 

est m = mk; 

mk := proc (in r : proc({n} in nat(n), "A; out nat(F32(n)), ~A) ; out Z : $) { 
jump(k, r, m)Z:$; 

>; 

var y := *; 

p(mk; y , mk) ; 

jump(mk, y)r:proc({n} in nat(n), ~A; out nat(F32(n)), ~A) , mk:~A; 
}r:proc({n} in nat(n), "A; out nat(F32(n)), ~A) , mk:~A; 

>; 

est a = proc (in mk2 : "A; out z : nat(3+2), mk : ~A) { 

est p_add = proc ({x,y} in X : nat(x), Y : nat(y), mk2 : "A; 
out Z : nat (x + y) , mk : ~A) { 

mk := mk2; 

Z := X :> nat(x + 0) ; 
for i := until Y { 

inc (Z) ; 
}Z:nat(x + i) ; 

>; 

est q = proe(in mk2 : ~proe({n} in nat(n), "A; out nat(F32(n)), ~A) ; 
{v} out r : nat (v) , mk : "nat (v) ) { 
mk := mk2; 

est p = proe(in f : proe ({n} in nat(n), "A; out nat(F32(n)), ~A) , 

mk2 : "proc ({n} in nat(n), ~A; out nat(F32(n)), ~A) ; 
out h : proc ({n} in nat(n), ~A; out nat(F32(n)), ~A) , 

mk : "proc ({n} in nat(n), "A; out nat(F32(n)), "A)) { 

mk := mk2; 
h := f; 

>; 

var b := *; 
shift(p, mk; b, mk) ; 
r := 3 :> nat(F32(0)) ; 
for i := until b { 

r := 2 :> nat(F32(s(i))) ; 
}r:nat(F32(i)) ; 

>; 

var mk := mk2; 
var g := *; 
reset(q, mk; g, mk) ; 
var x := *; 
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g(0, mk; X, mk) ; 

var y := *; 
g(l, mk; y, mk) ; 

p_add(x :> natO), y :> nat(2), mk; z, mk) ; 
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3 Implementation Notes 

3.1 ProofChecker source code 

Here follows the formal definition of the imperative dependent type system. 

r;fl\- x:t 

r;17hg:nat(s«(0)) 

\-£ n = m 
T;Sl\- * : n = m 

F; h e : T[n/i] T;i} \- e : n = m 
F; n h e : T[m/i] 

r;Q\- s > Ct[n/i] T;i}\- e : n = m 
r;nh s [> fl[m/i] 

r;f2he:T T, y : r; h s > f2' 
F; h est y = e; s \> fl' 

r;fihe:T T;n,y: t \- s l> fl' ,y: t' 
T; h var y := e; s l> 

T;x:a\-s\>x:T T-,il,x : t\- s' t> fl' , x : f' 
T;fl,x:a\- {s}g; s' l> fl' , x : t' 

F; n, 2/ : nat(s(n)) h s > 17', y : r 
F; O, y : nat(n) h inc(?/); s [> fl',y : t 

r;fl,y : nat(p(n)) \- s t> ^l' ,y : t 
F; O, y : nat(n) h dec(y); s t> fl',y : t 

F; O, y : C7 h e : T F; 0, y : r h s > f2', y : r' 
r;Cl,y : a \- y := e;s t> Q' ,y : t' 

T;fl,x : o'fO/i] h e : nat(n) F, y : nat(i);x : h s > ^ : CT[s(i)/i] F;n,^ : a[n/i] \- s' t> fl' , x : a' 
r;fl,x : ^[0/i] h for y := until e {s}^; s' [> Q,',x : a' 

Zy^<J) T,y : a; z : T \- s \> z : f[u/j\ 
F; n h proc (in y; out z}{s}g : proc ({i}in a; {J}out r) 

F; f2, r : cl; h p : proc ({«}in r; {J}out a) F; fi, f : w h e : r [m/z] F; f2, r : ct[u/z] h s > O', r : ct' 

F; f2,r : w h p(e; r); s > fi', r : it' 

*where JV(F) in (t.proc), J*^ J^{T, n,Q.' , a') in (t.call) and i ^ 7V(F) in (t.for) 

Its implementation is given below. The main difference is that in the current implementation, type 
variables are allowed (even if no unification is performed on them). 

(** 

* check that the given sequence represents a correct proof . 
* 

* Oparams gamma omega ( j , omegaO reg seq 
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* Oparam gamma the constant proof checking environment . 

* Qparam omega the variable proof checking environment . 

* Qparam j the out type existential quantified variables. 

* Oparam omega' the out type. 

* Oparam reg the region. 

* Oparam seq the sequence to check. 
* 

* ©return true if and only if seq is a correct proof . 
*) 

fun checkSequence gamma omega (j , omegaO reg seq = 
let val (iseq, (k, delta)) = seq 

in (* Checks whether the out type is equal to the sequence type annotation *) 
((envEquals delta omega') andalso (Utils . listEquals k j) 
andalso (checklnSequence gamma omega (k, delta) reg iseq)) 
(* Checks the internal sequence *) 
orelse typeFailureSeq gamma omega ( j , omega') seq reg 

"Proof Checker. checkSequence: out type and annotation mismatch" 

end 

and checklnSequence gamma omega ( j , omega') reg = fn 
(* Rule T. EMPTY *) 
Empty (subst) => 

(* We apply the substitution to build the instantiated type *) 
let val out_subst = substituteAllList subst omega' 
(* We restrict omega to omega' *) 

val delta = List. filter (fn (x,t) => List Assoc .memberKey x omega') omega 

in 

( (Utils . listEquals j (List. map #1 subst)) 

(* No alpha-equivalence ! Variables must be identical *) 
andalso (envEquals out_subst delta)) 

(* The instantiated type must be equal to omega *) 
orelse typeFailurelnSeq gamma omega ( j , omega') reg 
"Proof Checker . checkSequence : T . EMPTY" 

end 

(* Rule T.CST *) 

I Cst (id, typ, exp, seq) => 

((checkExp gamma omega typ reg exp) 

andalso (checkSequence (gamma +! (id, typ)) omega ( j , omega') reg seq)) 
orelse typeFailurelnSeq gamma omega ( j , omega') reg 
"Proof Checker . checkSequence : T . CST" 

(* Rule T.VAR *) 

I Var (id, typ, exp, seq) => 

((checkExp gamma omega typ reg exp) 

andalso (checkSequence gamma (omega +! (id, typ)) ( j , omega') reg seq)) 
orelse typeFailurelnSeq gamma omega ( j , omega') reg 
"Proof Checker . checkSequence : T.VAR " 

(* Rule T. BLOCK *) 

I Comm (Block (seql, (k, x_tau_list) ) , seq2) => 
(case split omega (dom x_tau_list) of 

(* We try to split omega according to the out list *) 
NONE => false (* Failure *) 
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I SOME (x_sigma_list, omega' O => 

(checkSequence gamma x_sigma_list (k, x_tau_list) reg seql) 

andalso (List. all (fn id => not (Utils . listMember id ( (f v_f ormulas (img gamma)) 

(* k not-in FV(G,W) *) 
© (fv_f ormulas (img omega)))) 
andalso ( (Utils . listMember id j) (* k in j or k not-in FV(W')*) 
orelse (not (Utils . listMember id (fv_f ormulas (img omega')))))) 

k) 

andalso (checkSequence gamma (omega'' ++ x_tau_list) ( j , omega') reg seq2)) 
orelse typeFailurelnSeq gamma omega ( j , omega') reg 
"Proof Checker . checkSequence : T . BLOCK" 

(* Rule T.INC *) 
I Comm (Inc (id, typ) , seq) => 
(case getVarType id omega of 

SOME (TNat (t)) => 

(typ = TNat (t)) andalso 

checkSequence gamma (omega +! (id, TNat (s(t)))) ( j , omega') reg seq 
I _ => false) 

orelse typeFailurelnSeq gamma omega ( j , omega') reg 
"Proof Checker . checkSequence : T . INC" 

(* Rule T.DEC *) 
I Comm (Dec (id, typ) , seq) => 
(case getVarType id omega of 
SOME (TNat (t)) => 
(typ = TNat (t)) andalso 

checkSequence gamma (omega +! (id, TNat (p(t)))) ( j , omega') reg seq 
I _ => false) 

orelse typeFailurelnSeq gamma omega ( j , omega') reg 
"Proof Checker . checkSequence : T.DEC" 

(* Rule T. ASSIGN *) 

I Comm (Affect (id, typ, exp) , seq) => 
(case getVarType id omega of 

NONE => false 
I _ => (checkExp gamma omega typ reg exp) 

andalso (checkSequence gamma (omega +! (id, typ)) ( j , omega') reg seq)) 
orelse typeFailurelnSeq gamma omega ( j , omega') reg 
"Proof Checker . checkSequence : T . ASSIGN" 

(* Rule T.FOR *) 

I Comm (For (id, lid, exp, typ, (seql, (k, sigma_i))), seq2) => 
(case (typ, split omega (dom sigma_i)) of 

(* We try to split omega according to the out list *) 
(TNat (n) , SOME (sigma_0, omega'')) => 
(envEquals sigma_0 (substituteAll lid FZero sigma_i)) 

(* Sigma [0] must be obtained *) 
andalso (checkExp gamma omega typ reg exp) 
andalso (List. length k = 0) 

(* k must be empty: no existential quantification in recursion *) 
andalso (checkSequence (gamma +! (id, TNat (Fid (lid)))) sigma_i 
(* sigma[i] |- sigma[s(i)] *) 
( [] , (substituteAll lid (s(FId (lid))) sigma_i)) reg seql) 
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andalso (checkSequence gamma (omega'' ++ (substituteAll lid n sigma_i)) 
(* sigma[n] *) 
( j , omega') reg seq2) 
andalso not (Utils.listMember lid (fv_formulas (img gamma))) 
(* i not_in FV(G) *) 
I _ => false) 

orelse typeFailurelnSeq gamma omega ( j , omega') reg 
"Proof Checker . checkSequence : T . FOR" 

(* Rule T.CALL *) 

I Comm (ProcCall (exp, typ, exp_typ_list , subst, id_typ_list) , seq) => 
((checkExp gamma omega typ reg exp) 

andalso List. all (fn (e, t) => checkExp gamma omega t reg e) exp_typ_list 

(* We split both omega and omega' to check type equalities *) 

andalso 

(case (typ, split omega (dom id_typ_list) ) of 

(TProc (i, tau_list, k, sigma_list) , SOME (_, omega")) => 
(Utils . listEquals i (List. map #1 subst)) 

(* No alpha-equivalence ! Variables must be identical *) 
andalso 

(let val tau_subst = List. map (substituteList subst) tau_list (* tau[n/i] *) 
val typ_list = List. map #2 exp_typ_list 
in (* exp_list types = tau[n/i] *) 

(ListPair .all (fn (tl, t2) => alphaEquaKtl, t2)) (tau_subst, typ_list)) 
orelse typeFailurelnSeq (List. map (fn t => (("_", 0), t)) tau_subst) 
(List. map (fn t => (("_", 0), t)) typ_list) 
( j , omega') reg "Proof Checker . checkSequence : T.CALL !!!" 

end) 

andalso (List. length id_typ_list = List. length sigma_list) 

andalso (ListPair . all (fn (tl, t2) => (substituteList subst tl) = t2) 

(sigma_list, List. map #2 id_typ_list) ) (* id_list types = sigma[n/i] *) 
andalso (checkSequence gamma (omega'' ++ id_typ_list) ( j , omega') reg seq) 
andalso (List. all (fn id => not (Utils.listMember id ( (f v_f ormulas (img gamma)) 

(* k not-in FV(G,W) *) 
(fv_f ormulas (img omega)))) 
andalso ((Utils.listMember id j) (* k in j or k not-in FV(W') *) 
orelse (not (Utils.listMember id (fv_f ormulas (img omega')))))) 

k) 

I _ => false)) 
orelse typeFailurelnSeq gamma omega ( j , omega') reg 
"Proof Checker . checkSequence : T . CALL" 

(* Rule T.SUBST-II *) 

I SSubst (seq, delta_i, lid, exp, typ) => 
((checkExp gamma omega typ reg exp) 
andalso (case typ of 

TEqual (n, m) => 

(checkSequence gamma omega ( j , (substituteAll lid n delta_i)) reg seq) 
(* delta [n/i] *) 

andalso (envEquals (substituteAll lid m delta_i) omega') (* delta[m/i] *) 
I _ => false)) 
orelse typeFailurelnSeq gamma omega ( j , omega') reg 
"Proof Checker . checkSequence : T . SUBST-II " 
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(* Rule T. LABEL *) 

I Comm (Label (id, typ, (seql, (k, id_typ_list) ) ) , seq2) => 
(case (typ, split omega (dom id_typ_list) ) of 

(TProc (k', Sigma, [] , [TBot] ) , SOME (x_tau, omega")) => 
(Utils . listEquals sigma (img id_typ_list) ) 
andalso (Utils . listEquals k k') 

(* No alpha-equivalence ! Variables must be identical *) 
andalso (checkSequence (gamma +! (id, typ)) x_tau (k, id_typ_list) reg seql) 
andalso (checkSequence gamma (omega'' ++ id_typ_list) ( j , omega') reg seq2) 
I _ => false) 

orelse typeFailurelnSeq gamma omega ( j , omega') reg 
"Proof Checker . checkSequence : T . LABEL" 

(* Rule T.JUMP *) 

I Comm (Jump (exp, typ, exp_typ_list , subst, id_typ_list) , seq) => 
((checkExp gamma omega typ reg exp) 

andalso List. all (fn (e, t) => checkExp gamma omega t reg e) exp_typ_list 
andalso (case (typ, split omega (dom id_typ_list) ) of 

(TProc (k, Sigma, [] , [TBot]), SOME (_, omega")) => 

(Utils . listEquals k (List. map #1 subst)) 

(* No alpha-equivalence ! Variables must be identical *) 

andalso 

(let val sigma_subst = List. map (substituteList subst) sigma (* sigma[n/i] *) 

val typ_list = List. map #2 exp_typ_list 
in (* We check whether exp_list types = sigma [n/i] *) 

(ListPair.all (fn (tl, t2) => alphaEqual(tl , t2)) (sigma_subst , typ_list)) 
orelse typeFailurelnSeq (List. map (fn t => (("_", 0), t)) sigma_subst) 
(List. map (fn t => (("_", 0), t)) typ.list) 
( j , omega') reg "Proof Checker. checkSequence: T.JUMP !!!" 

end) 

andalso (checkSequence gamma (omega'' ++ id_typ_list) ( j , omega') reg seq) 
I _ => false)) 
orelse typeFailurelnSeq gamma omega ( j , omega') reg 
"Proof Checker . checkSequence : T . JUMP" 

I Comm (CommRegion (c, reg), seq) => checklnSequence gamma omega ( j , omega') 

reg (Comm (c, seq)) 
I SeqRegion (seq, reg) => checklnSequence gamma omega ( j , omega') reg seq 

(** 

* check that the given expression represents a correct proof . 
* 

* Oparams gamma omega typ reg (expression, tau) 

* Qparam gamma the constant proof checking environment . 

* Oparam omega the variable proof checking environment . 

* Oparam typ the requiered type. 

* Sparam reg the region. 

* Qparam expression the expression to check. 

* Oparam tau the given type. 
* 

* ©return true if and only if expression is a correct proof of formula tau. 
*) 

and checkExp gamma omega typ reg (expression, tau) = 
(tau = typ) andalso 
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case expression of 
(* Rule T.ENV *) 
Id (id) => 

(case getVarType id (gamma ++ omega) of 
NONE => false 

I SOME t => t = typ) 

orelse typeFailureExp gamma omega typ expression reg 
"ProofChecker .checkExp: T.ENV" 

I Val (v) => checkValue gamma omega typ reg v 

(* Rule T.SUBST-I *) 

I ESubst (expl, typl, lid, exp2, typ2) => 
((checkExp gamma omega typ2 reg exp2) 
andalso (case typ2 of 
TEqual (n, m) => 

(checkExp gamma omega (substitute lid n typl) reg expl) 
andalso (typ = (substitute lid m typl)) 
I _ => false)) 
orelse typeFailureExp gamma omega typ expression reg 
"ProofChecker . checkExp : T . SUBST-I " 

(* Lemma *) 

I Lemma (typlist, typ') => 

(let val hyp = img (gamma ++ omega) 

in 

(typ = typ') andalso 

(List. all (fn x => Utils . listMember x hyp) typlist) 
end) 

orelse typeFailureExp gamma omega typ expression reg 
"ProofChecker. checkExp: Lemma" 

I ExpRegion (exp, reg) => checkExp gamma omega typ reg (exp, tau) 

(** 

* check that the given value represents a correct proof. 
* 

* Oparams v reg 

* Oparam v the value . 
* 

* ©return true if and only if p is a correct proof . 
*) 

and checkValue gamma omega typ reg (value, tau) = 
(tau = typ) andalso 
case value of 
(* Rule T.STAR *) 
Star => 

(case typ of TEqual (n, m) => true 
I _ => false) 

orelse typeFailureExp gamma omega typ (Val (value, tau)) reg 
"ProofChecker . checkValue : T . STAR" 

(* Rule T.NUM *) 
I Int (n) => 
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(typ = (TNat (mkNat n))) 

orelse typeFailureExp gamma omega typ (Val (value, tau)) reg 
"Proof Checker . checkValue : T . NUM" 

(* Rule T.PROC *) 

I Proc (i, in_list, j, out_list, (seq, ( j ' , typid_list) ) ) => 
(let val sigmalist = img in_list 
val taulist = img out_list 

in 

(typ = (TProc (i, sigmalist, j, taulist))) 
andalso (Utils . listEquals j j') 

(* No alpha-equivalence ! Variables must be identical *) 
andalso (envEquals out_list typid_list) 
andalso (checkSequence (in_list ++ gamma) 

(List. map (fn (x,t) => (x, top)) typid_list) 
(j ' , typid_list) reg seq) 
andalso (List. all (fn id => not (Utils . listMember id 

(fv_formulas (img gamma)))) i) 
(* i not-in FV(G) *) 

end) 

orelse typeFailureExp gamma omega typ (Val (value, tau)) reg 
"Proof Checker . checkValue : T . PROC" 

I ValRegion (v, reg) => checkValue gamma omega typ reg (v, tau) 

(** 

* check that the given program represents a correct proof . 
* 

* Oparams p 

* Oparam p the program. 
* 

* ©return true if and only if p is a correct proof . 
*) 

fun checkClosedProg (p : program) = 
case p of 

(SeqRegion (seq, reg) , seqType) => checkSequence empty empty seqType reg p 
I _ => raise Fail "Proof Checker . checkClosedProg: not a SeqRegion" 
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Source code documentation (Smldoc) 



Overview Index Help 



First-Order LoopW 



Inner Signature summary 

signature BASE_PRETTY_PRINTER 

The First-Order LoopW Proof Checker base pretty -printer. 

signature COMPILER 

The First- Order LoopW Proof Checker compiler. 

signature FUN_PRETTY_PRINTER 

The First-Order LoopW Proof Checker functional pretty-printer. 

signature FUN_TRANSLATION 

The First-Order LoopW Proof Checker translator into functional syntax. 

signature LIST_ASSOC 

Utility functions that deals with association lists. 

signature PRETTY_PRINTER_KEYWORDS 

The First-Order LoopW Proof Checker pretty-printer keywords for abstract syntax. 

signature PR00F_AST_UTILS 

Utility function for the proof syntax. 

signature PR00F_CHECKER 

The First- Order LoopW Proof Checker proof checking. 

signature PR00F_ENVIR0NMENT 

The First-Order LoopW Proof Checker proof environment abstract type. 

signature PROOF_PRETTY_PRINTER 

The First-Order LoopW Proof Checker proof syntax pretty-printer. 

signature TERMS 

The First-Order LoopW Proof Checker formula/term substitution and alpha-equivalence. 

signature UTILS 

Utility functions that deals with lists. 



Inner Structure summary 

structure BasePrettvPr inter 

The First-Order LoopW Proof Checker base pretty -printer. 

structure Compiler 

The First- Order LoopW Proof Checker compiler. 

structure Error 

The First-Order LoopW Proof Checker syntax error module. 

structure FunAst 

The First-Order LoopW Proof Checker functional programs abstract syntax. 

structure FunPrettvPr inter 

The First-Order LoopW Proof Checker functional pretty-printer. 
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structure FunTranslation 

The First- Order LoopW Proof Checker translator into functional syntax. 



structure FunTvpeChecker 



structure ListAssoc 

Utility functions that deals with association lists. 



structure Main 

The First- Order LoopW Proof Checker main program. 



structure Parser 



structure PrettvPr interKevwords 

The First-Order LoopW Proof Checker pretty-printer keywords for abstract syntax. 



structure ProofAst 



The First- Order LoopW Proof Checker proof abstract syntax. 



structure ProofAstUtils 

Utility function for the proof syntax. 



structure ProofChecker 



The First- Order LoopW Proof Checker proof checking. 



structure Proof Environment 



The First- Order LoopW Proof Checker proof environment abstract type. 



structure ProofPrettyPr inter 

The First-Order LoopW Proof Checker proof syntax pretty -printer. 



structure Terms 

The First- Order LoopW Proof Checker formula/term substitution and alpha- equivalence. 



structure Utils 



Utility functions that deals with lists. 



Inner Functor summary 



functor SyntaxLexFun 



Overview Index Help 
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Overview 



Index 



Help 



First-Order LoopW Type Inference 



Inner Signature summary 

signature BASE_PRETTY_PRINTER 

The First-Order LoopW Type Inference base pretty-printer. 

signature COMPILER 

The First-Order LoopW Type Inference compiler. 

signature C0RE_AST_UTILS 

Utility function for the core syntax. 

signature CORE_PRETTY_PRINTER 

The First-Order LoopW Type Inference core syntax pretty-printer. 

signature LIST_ASSOC 

Utility functions that deals with association lists. 

signature PRETTY_PRINTER_KEYWORDS 

The First-Order LoopW Type Inference pretty -printer keywords for abstract syntax. 

signature PROOF_DERIV_PRETTY_PRINTER 

The First-Order LoopW Type Inference proof derivation pretty-printer. 

signature PR00F_ENVI RONMENT 

The First-Order LoopW Type Inference proof environment abstract type. 

signature PR00F_INFER 

The First-Order LoopW Type Inference proof inference. 

signature PROOF_PRETTY_PRINTER 

The First- Order LoopW Type Inference proof syntax pretty -printer. 

signature TERMS 

The First-Order LoopW Type Inference formula/term substitution and alpha-equivalence. 

signature TERM_MATCH_UNIF 

The First-Order LoopW Type Inference formula/term matching and unification. 

signature UTILS 

Utility functions that deals with lists. 



Inner Structure summary 

structure BasePrettyPr inter 

The First-Order LoopW Type Inference base pretty-printer. 

structure Compiler 

The First-Order LoopW Type Inference compiler. 

structure CoreAst 

The First- Order LoopW Type Inference core abstract syntax. 

structure CoreAstUtils 

Utility function for the core syntax. 
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structure Cor ePrettvPr inter 

The First-Order LoopW Type Inference core syntax pretty-printer. 



structure Error 



The First- Order LoopW Type Inference syntax error module. 



structure ListAssoc 

UtiUty functions that deals with association lists. 



structure Main 

The First-Order LoopW Type Inference main program. 



structure Parser 



structure PrettvPrinterKevwords 

The First-Order LoopW Type Inference pretty -printer keywords for abstract syntax. 



structure Proof Ast 

The First- Order LoopW Type Inference proof abstract syntax. 



structure Proof Per ivPrett vPr inter 

The First-Order LoopW Type Inference proof derivation pretty-printer. 



structure Proof Environment 



The First- Order LoopW Type Inference proof environment abstract type. 



structure Proof Infer 

The First-Order LoopW Type Inference proof inference. 



structure Proof Pre ttvPr inter 

The First- Order LoopW Type Inference proof syntax pretty -printer. 



structure TermMatchUnif 



The First-Order LoopW Type Inference formula/term matching and unification. 



structure Terms 

The First-Order LoopW Type Inference formula/term substitution and alpha-equivalence. 



structure Utils 

Utility functions that deals with lists. 



Inner Functor summary 



functor SvntaxLexFun 



Overview Index Help 
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